Apache Security

mod_core

Minimal server info

# ServerTokens
# This directive configures what you return as the Server HTTP response
# Header. The default is 'Full' which sends information about the OS-Type
# and compiled in modules.
# Set to one of: Full | OS | Minor | Minimal | Major | Prod
# where Full conveys the most information, and Prod the least.
ServerTokens Prod

Lower timeout

The default values (CentOS: 120, Gentoo: 300) are high, and can be reduced to help mitigate a denial of service, unintentional or otherwise.

# Timeout: The number of seconds before receives and sends time out.
Timeout 45

Disable trace behavior

# TraceEnable
# This directive overrides the behavior of TRACE for both the core server and
# mod_proxy. The default TraceEnable on permits TRACE requests per RFC 2616,
# which disallows any request body to accompany the request. TraceEnable off
# causes the core server and mod_proxy to return a 405 (Method not allowed)
# error to the client.
# For security reasons this is turned off by default. (bug #240680)
TraceEnable off

Disable server signature

# Optionally add a line containing the server version and virtual host
# name to server-generated pages (internal error documents, FTP directory
# listings, mod_status and mod_info output etc., but not CGI generated
# documents or custom error documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of: On | Off | EMail
ServerSignature Off

Disable range headers

RequestHeader unset Range

Note that this may break certain clients - such as those used for e-Readers and progressive/http-streaming video.